Download presentation
Presentation is loading. Please wait.
Published byMercy Palmer Modified over 9 years ago
1
1 R-UIM Support for Secure LBS (Stage 2) Zhimin Du Lijun Zhao zdu, lzhao@qualcomm.com QUALCOMM Incorporated June 20, 2005
2
2 Copyright Notice©2005 QUALCOMM Incorporated. All rights reserved.QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Qualcomm Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.This document has been prepared by Qualcomm Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on Qualcomm Incorporated. Qualcomm Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of Qualcomm Incorporated other than provided in the copyright statement above.Qualcomm Incorporated may hold one or more patents or copyrights that cover information contained in this contribution. A license will be made available to applicants under reasonable terms and conditions that are demonstrably free of any unfair discrimination. Qualcomm Incorporated reserves the right to use all material submitted in this contribution for its own purposes, including republication and distribution to others.
3
3 Outline Background and overview Four protocols in S.P0110 –LCS Provisioning Protocol –S-SAFE Protocol –TLS Session-A Protocol –TLS Session-B Protocol Proposed changes in C.S0023
4
4 Background (1/2) Security functional architecture for IP-based LCS ME PDE H-PS MS-LCS Client IP Cloud Access Network S-PS PDE in Home Network PDE in Visited Network LCS-x LCS-y LCS-z 18 LCS-x Store-and-Forward UIM Mobile Station
5
5 Background (2/2) NI call flow example (from X.P0024)
6
6 S.P0110: IP-based Location Services Security Framework Developed in TSG-S, for security of X.P0024 IP-based Location Services Comprise 4 protocols: –LCS Provisioning Protocol »for key provisioning and derivation –S-SAFE Protocol »to secure the NI trigger message SUPL-INIT (i.e. step b in previous page) –TLS Session-A Protocol »to secure the LCS-x interface communications between MS and H-PS (i.e. steps c and f in previous page) –TLS Session-B Protocol »to secure the LCS-y interface communications between MS and PDE, only applied to non-proxy mode (i.e. mainly steps g, h in previous page)
7
7 LCS Provisioning Protocol (1/3) LCS_ROOT_KEY –The root key of IP-based LCS for one subscriber. Other keys are derived from it. –To be provisioning into H-PS and UIM (while manufacturing, or through OTASP, or derived from a more general root key). –Invisible to ME, PDE and other entities. LCS_UIM_S_SAFE_KEY –Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A (by UIM and H-PS, separately) »f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_S_SAFE_K”, Fmk=0x004B4352) –Only used in S-SAFE protocol. –Invisible to ME, PDE and other entities.
8
8 LCS Provisioning Protocol (2/3) LCS_UIM_HPS_TLS_PSK_KEY –Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A (by UIM and H-PS, separately) »f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_HPS_TLS_”, Fmk=0x004B4352) –Only used in TLS Session-A protocol –Invisible to ME, PDE and other entities. LCS_UIM_PDE_ROOT_KEY –Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A (by UIM and H-PS, separately) »f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_PDE_ROOT”, Fmk=0x004B4352) –Used to derive the LCS_UIM_PDE_TLS_PSK_KEY for each PDE assignment, which will be used in TLS Session-B protocol to secure LCS-y communications –Invisible to ME, PDE and other entities.
9
9 LCS Provisioning Protocol (3/3) LCS_UIM_PDE_TLS_PSK_KEY derivation –H-PS generates a LCS_UIM_PDE_TLS_PSK_RAND with f0 algorithm –H-PS derives LCS_UIM_PDE_TLS_PSK_KEY from LCS_UIM_PDE_ROOT_KEY and LCS_UIM_PDE_TLS_PSK_RAND with f3 algorithm »f3 (K=LCS_UIM_PDE_ROOT_KEY, fi=0x45, RAND=LCS_UIM_PDE_TLS_PSK_RAND, Fmk=0x004B4352) –H-PS passes LCS_UIM_PDE_TLS_PSK_VERSION, LCS_UIM_PDE_TLS_PSK_EXPIRY, LCS_UIM_PDE_TLS_PSK_RAND, LCS_UIM_PDE_TLS_PSK_KEY to PDE (may through S-PS when need, e.g. when roaming) –H-PS passes LCS_UIM_PDE_TLS_PSK_VERSION, LCS_UIM_PDE_TLS_PSK_EXPIRY, LCS_UIM_PDE_TLS_PSK_RAND to MS in SUPL_RESPONSE message (with TLS Session-A protection, i.e. through TLS Application Data Protocol) –UIM derives LCS_UIM_PDE_TLS_PSK_KEY by itself with the same algorithm –LCS_UIM_PDE_TLS_PSK_KEY is used in TLS Session-B Protocol –LCS_UIM_PDE_TLS_PSK_KEY is invisible to ME.
10
10 S-SAFE Protocol (1/2) S-SAFE: Secure Store And Forward Encapsulation –Provides authenticity, integrity protection, freshness protection and encryption (optional) of data in store-and-forward messages. –H-PS forms an Envelope to enable these functions. Parameter NameOctets LCS_S_SAFE_GEN_TIME4 LCS_S_SAFE_LOG_LIFE_TIME1 LCS_S_SAFE_VERSION2 (defined in Section 5.2.1) LCS_S_SAFE_GOODIES_LENGTH2 LCS_S_SA FE_GOODI ES LCS_S_SAFE_ALG2 LCS_S_SAFE_RAND16 LCS_S_SAFE_PAYLOAD_LE N = LCS_S_SAFE_DATA_LEN 2 LCS_S_SAFE_ PAYLOADVariable LCS_S_SAFE_MAC8
11
11 S-SAFE Protocol (2/2) –ME performs Expiry Check and Replay Detection with LCS_S_SAFE_GEN_TIME and LCS_S_SAFE_LOG_LIFE_TIME –If success, ME passes the envelope to the UIM –UIM derives LCS_S_SAFE_CK from LCS_UIM_S_SAFE_KEY and LCS_S_SAFE_RAND with f3 algorithm »f3 (K=LCS_UIM_S_SAFE_KEY, fi=0x45, RAND=LCS_S_SAFE_RAND, Fmk=0x004B4352) –UIM derives LCS_S_SAFE_IK from LCS_UIM_S_SAFE_KEY and LCS_S_SAFE_RAND with f4 algorithm »f4 (K=LCS_UIM_S_SAFE_KEY, fi=0x46, RAND=LCS_S_SAFE_RAND, Fmk=0x004B4352) –UIM performs Integrity Check using the MAC generation algorithm with LCS_S_SAFE_IK and LCS_S_SAFE_MAC_DATA –If success, UIM performs Decryption using the cipher algorithm with LCS_S_SAFE_CK and LCS_S_SAFE_PAYLOAD »This step may be skipped if encryption is not enabled (as indicated with LCS_S_SAFE_CIPHER_ALG=0x00) –UIM passes the LCS_S_SAFE_DATA_LEN and LCS_S_SAFE_DATA (i.e. the SUPL_INIT message in this case) to ME
12
12 TLS Protocol Brief General Transport Layer Security protocol (IETF RFC 2246) Client Server ------ ClientHello[H]-------> ServerHello[H] <-------ServerHelloDone[H] ClientKeyExchange[H] ChangeCipherSpec[C] Finished[H]-------> ChangeCipherSpec[C] <------- Finished[H] Application Data[D] [H]Handshake protocol [C]Change cipher spec protocol [D]application Data protocol. Note: The Finished message will include Verify Data, which enable the authentication.
13
13 UIMH-PSME ClientHello(session_id(opt),client_random): ServerHello(session_id(opt),server_random) ServerHelloDone Other_secret, client_random, server_random Include session_id if desire to resume session Gen client_random Resume session? Assign session_id? Gen server_random. Session secrets ChangeCipherSpec + Finished(MS verify_data) ClientKeyExchange (psk_identity =MIN or IMSI) Gen. session secrets Form MS verify_digest Other_secret, MS verify_digest MS verify_data ChangeCipherSpec + Finished(H-PS verify_data) Form H-PS verify_digest Form other_secrets Other_secret, H-PS verify_digest H-PS verify_data confirm H-PS verify_data Skip to here if H-PS agrees to resume a previous session Confirm MS verify_data Gen. H-PS verify_data Application Data (encrypted with Session Secret) TLS Session-A Protocol TLS Session-A protocol is based on TLS protocol with LCS_UIM_HPS_TLS _PSK_KEY as Pre- Shared Key Two protocols: –Handshake Protocol –Application Data Protocol
14
14 R-UIM Functionality in TLS Session-A Two type ME and R-UIM interactions Session Secret Generation –ME sends Other_Secret, Master_Client_RAND, Master_Server_RAND, Current_Client_RAND, Current_Server_RAND, Server_Version, Cipher_Suite to R-UIM as input parameters. –R-UIM runs the process to generate the Session_Secret and returns it back. –ME and H-PS will use Session_Secret in bulk ciphering and integrity protection for application data. Verify Data Generation –ME generates Verify_Digest, and sends Verify_Digest, Other_Secret, Master_Client_RAND, Master_Server_RAND, Finished_Label to R- UIM as input parameters –R-UIM runs the process to generate the Verify_Data and returns it back. –ME and H-PS will authenticate each other by comparing the received Verify_Data and locally recomputed Verify_Data.
15
15 TLS Session-B Protocol TLS Session-B protocol is based on TLS protocol with LCS_UIM_PDE_TLS _PSK_KEY (derived from LCS_UIM_PDE_RO OT_KEY) as Pre- Shared Key Two main portions: –Assignment –Interaction, including Handshake Protocol and Application Data Protocol Skip to here if PDE agrees to resume a previous session Interaction UIMH-PSME ClientHello(session_id(opt),client_random) ServerHello(session_id(opt),server_random) ServerHelloDone PSK_VERSION, PSK_RAND, other_secret, client_random, Server_Random Include session_id if desire to resume session Gen client_random Session secrets ChangeCipherSpec + Finished( MS verify_data ) ClientKeyExchange(psk_identity =PSK_VERSION, PSK_RAND) PSK_VERSION, PSK_RAND, other_secret, MS verify_digest MS verify_data ChangeCipherSpec + Finished( PDE verify_data ) Form other_secret other_secret, PDE verify_digest PDE verify_data confirm PDE verify_data PDE Form MS verify_digest gen PSK_VERSION, PSK_EXPIRY, PSK_RAND gen PSK from PDE_ROOT_KEY, PSK_RAND PSK_VERSION, PSK_EXPIRY, PSK_RAND, PSK_KEY Form PSK_KEY from PSK_RAND, PDE_ROOT_KEY Generate session secrets Form PDE verify_digest Gen session_secrets Confirm MS verify_data Gen PDE verify_data Form PSK_KEY as above Gen. MS verify data Assignment PSK_VERSION, PSK_EXPIRY, PSK_RAND Resume session? Assign session_id? Gen server_random. Form PSK_KEY as above Gen. PDE verify data Application Data (encrypted with Session Secret)
16
16 R-UIM Functionality in TLS Session-B Two type ME and R-UIM interactions (Similar procedures as in Session A, just more input parameters to generate LCS_UIM_PDE_TLS_PSK_KEY first) Session Secret Generation –ME sends PSK_Protocol_Version, PSK_RAND, Other_Secret, Master_Client_RAND, Master_Server_RAND, Current_Client_RAND, Current_Server_RAND, Server_Version, Cipher_Suite to RUIM as input parameters –R-UIM runs the process to generate the Session_Secret and returns it back. –ME and PDE will use Session_Secret in bulk ciphering and integrity protection for application data. Verify Data Generation –ME generates Verify_Digest, then sends PSK_Protocol_Version, PSK_RAND, Verify_Digest, Other_Secret, Master_Client_RAND, Master_Server_RAND, Finished_Label to RUIM as input parameters –R-UIM runs the process to generate the Verify_Data and returns it back. –ME and PDE will authenticate each other by comparing the received Verify_Data and locally recomputed Verify_Data.
17
17 Security Function Requirements to R-UIM and ME (1/2) R-UIM Side ProtocolAlgorithmVersionAlgorithm Specifier Specified in FunctionReferenceSection S-SAFE LCS_S_SAFE_CK Generation LCS_S_SAFE_VER SION = 0x0001 N/Af3 [S.S0055-A] 2.2.2.6 LCS_S_SAFE_IK Generation N/Af42.2.2.7 Decryption LCS_S_SAFE_CIP HER_ALG = 0x00 NULLN/A LCS_S_SAFE_CI PHER _ALG = 0x01 ESP_AES[S.S0055-A] 2.3.2.2.4 XLCS_S_SAFE_MAC Generation LCS_S_SAFE_MA C _ALG = 0x01 ehmacsha[S.S0078-A]2.1.2.1 TLS Session-A Functions for generating master_secret, session_secrets and verify_data Server_version = ( 3,1 ) N/APRF[RFC2246]5 TLS Session-B LCS_UIM_PDE_TLS_P SK_KEY Generation LCS_UIM_PDE_TLS_PSK_VERSION = 0x0001 f3[S.S0055-A]2.2.2.6 Function for generating master_secret, session_secrets and verify_data Server_version = ( 3,1 ) N/APRF[RFC2246]5
18
18 Security Function Requirements to R-UIM and ME (2/2) ME Side ProtocolAlgorithmVersion Algorithm Specifier Specified in FunctionReferenceSection S-SAFE------ TLS Session-A + TLS Session-B Computing verify_digest Server_version = ( 3,1 ) N/A MD5 [RFC2246]7.4.9 SHA-1 Bulk ciphering for application data BulkCipherAlg orithm= AES_128_CB C AES_128_C BC [RFC3268] MAC algorithm for application data MACAlgorith m = SHA HMAC- SHA-1 [RFC2246]A.6 TLS Sessi on-B LCS_TIME LCS_UIM_PDE_TLS_PSK_VE RSION = 0x0001 N/AS.P01106.6.1
19
19 Impact on C.S0023 (1/2) Proposed changes: KEY provisioning and storage –LCS_ROOT_KEY –EF(LCS TLS Protocol Version): To indicate which S-SAFE and TLS protocol version the RUIM supports Security algorithms supporting –will make reference to S.P0110 for specific algorithm requirements Commands from ME to R-UIM (The idea is to generate universal commands that can be reused by other services that may use S-SAFE or TLS) –S-SAFE Verification and Decryption command –TLS Session Secret Generation Command (Can cover H-PS Verify Data) »with two P1s, for Session-A and Session-B, respectively –TLS Verify Data Generation Command (e.g. MS Verify Data) »with two P1s, for Session-A and Session-B, respectively
20
20 Impact on C.S0023 (2/2) Proposed changes Other related changes –New References –LCS service indicator in EF(CST) –New EF to store H-PS address (IP and/or URL address) Procedures description –Needs to wait for TSG-S WG4 Document to get stable.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.